When it Comes to Third Parties, Don’t Forget About Your Non-PII Data

Many moons ago when I was in internal audit a friend of mine who was an application manager within the same company brought me an interesting request; he wanted me to audit his application. I was a bit befuddled, and when I asked “why” he informed me that his application contained the formulations of all of the company’s sauces and similar products throughout the world. I asked him when the last time he was audited was and he quipped “never”.

This got me thinking as I started getting similar responses with regards to companies either delaying assessments – or flatly not performing assessments – of third party services providers (TPSPs) who may be receiving non-personally identifiable data.

Third parties receiving personally identifiable information (PII) data – which includes protected health information (PHI) and card holder/payment card industry (PCI) data – seem to be getting most, if not all, the attention of vendor risk managers due to regulatory or industry scrutiny. Such scrutiny is justifiable as breaches can bring on fines (if the entity is regulated), class-action lawsuits, severe reputational risk, and the like. However, this is still no reason to delay or flat-out ignore assessing TPSP’s not receiving PII. Sadly, I’ve witnessed many companies focus their efforts solely on customers/client data.

According to a recently published E&Y study (($FILE/EY-global-information-security-survey-2014.pdf)) fielding responses from 1,825 enterprises, careless employees, outdated security controls and use of cloud computing, were cited as the main areas that businesses said increased their risk exposure during the past 12 months. The study also noted that, “stealing intellectual property or data” was one of the top concerns relating to cyber threats companies need to contend with. You read that correctly, “intellectual property.”

Any TPSP coming in contact with what I call “CIPS” data – confidential (financial, compensation, other non-published data), intellectual property (copyrights, patents, trademarks, formulations), and/or strategic (mergers and acquisition plans, marketing initiatives) – should also be assessed on a periodic basis in the same manner as PII data. I can assure you many executives would worry about CISP data falling into the hands of a competitor due to an incident at a TSPS which caused it to either be exposed or missing due to inadequate controls. As witnessed recently, incidents with TPSPs having unauthorized access to data, access to unencrypted data, missing backups and flash drives, and the disappearance or stealing of stolen laptops continue to occur with upsetting regularity.
To begin the discussion of frequency of reassessing your vendors handling CIPS data, one should consult the appropriate C-suite stakeholders, such as the chief officers in the information security, privacy, and legal offices. Once the frequency has been established the next step is to determine whether they should be assessed with the same scrutiny as those receiving PII data.

The Program Tools of the Shared Assessments Program are excellent in assisting in this regard.
The Standard Information Gathering (SIG) questionnaire – the standard for assessing overall privacy and security posture – is the trust component tool in your assessment arsenal. The SIG helps to ensure you are obtaining all of the information necessary to conduct an initial assessment of a TPSP’s IT, privacy, and data security controls.

The verify portion of the Program is the Agreed Upon Procedures (AUP), as it allows an assessor (whether internal or external) to validate the answers provided by the TPSP to your SIG questionnaire. If you choose to do this onsite, it also sets forth the risk controls areas to be assessed, as well as the procedures to be followed while conducting the assessment and the sampling procedures to use.
Third party organizations receiving your CIPS data should be under similar scrutiny as those receiving your PII data. As trends evidence, breaches to CIPS data is increasing, and the time has never been more critical to start reviewing your vendors privacy and security controls in handling such data.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn